update-content
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to read external content (target files) and governance configuration (
RULE.md) and follow the 'rules' found within them. - Ingestion points: The skill uses a
Readtool to ingest the full content of existing files (Step 2) andRULE.mdgovernance files (Step 3). - Boundary markers: No boundary markers or instructions to ignore embedded commands are specified when processing these files.
- Capability inventory: The skill possesses powerful capabilities including file writing (
Write), file editing (Edit), and shell-based searching (find,grep). - Sanitization: There is no mention of sanitizing or escaping the content read from these files before the agent processes them as instructions for formatting or governance.
- Command Execution (HIGH): The skill explicitly instructs the agent to use shell commands (
find . -name "*keyword*"andgrep -r "keyword" .) for searching. If the 'keyword' (derived from user input) contains shell metacharacters (e.g.,;,|,&&), it could lead to arbitrary command execution on the host system. - Privilege Escalation / Governance Bypass (MEDIUM): In the 'Error Handling' section for 'RULE.md Forbids Updates', the skill explicitly suggests a workflow to 'override rule'. This provides a direct path for users or potentially malicious files (via indirect injection) to bypass established security and organizational constraints defined in the governance layer.
Recommendations
- AI detected serious security threats
Audit Metadata